YubiHSM 2 Hardware Security Modules

Description

The YubiHSM 2 is a game changing hardware solution for protecting Certificate Authority root keys from being copied by attackers, malware, and malicious insiders. It offers superior cost effective security and easy deployment making it accessible for every organization. It offers a higher level of security for cryptographic digital key generation, storage, and management, for organizations running Microsoft Active Directory Certificate Services.

The YubiHSM 2 features are accessible by integrating with an open source and comprehensive software development toolkit (SDK) for a wide range of open source and commercial applications. The most common use case is hardware-based digital signature generation and verification. In additional emerging use cases such as securing cryptocurrency exchanges and IoT gateways are just a few examples of how the world’s smallest HSM can secure modern infrastructures.

Rapidly integrate with Hardware-based Strong SecurityYubiHSM 2 can be used as a comprehensive cryptographic toolbox for low-volume operations in conjunction with a huge set of open source and commercial applications spanning many different products and services. Most common use case involve on-chip hardware based processing for signature generation and verification. The YubiHSM 2 supports the PKCS#11 industry standard.

Secure Cryptocurrency Exchanges
With the explosive growth of the cryptocurrency market also comes a high volume of assets that need protection to mitigate against emerging security risks. The YubiHSM 2 allows organizations to strongly secure cryptographic keys and keep sensitive financial information safe.

Protect Internet of Things (IoT) EnvironmentsThe Internet-of-Things (IoT) is a rapidly emerging area where systems often operate in hostile environments. That makes securing cryptographics keys even more important as organizations need to protect sensitive information. Cryptographic keys are used in numerous IoT applications, with insufficient security in place. Developers building IoT applications can rapidly enable support for the YubiHSM 2 to protect cryptographic keys and keep critical IoT environments from falling victim to hostile takeovers.

Feature Details

Secure key storage and operations

Create, import, and store keys, then perform all crypto operations in the HSM hardware to prevent theft of keys while at rest or in use. This protects against both logical attacks against the server, such as zero-day exploits or malware, and physical theft of a server or its hard drive.

Secure session between HSM and application

The integrity and privacy of commands and data in transit between the HSM and applications are protected using a mutually authenticated, integrity and confidentiality protected tunnel.

Role-based access controls for key management and key usage

All cryptographic keys and other objects in the HSM belong to one or more security domains. Access rights are assigned for each authentication key at creation time which allow a specific set of cryptographic or management operations to be performed per security domain. Admins assign rights to authentication keys based on its use case, such as a event monitoring app that needs the ability to read all audit logs in the HSM, or a Registration Authority that needs to issue (sign) end user digital certificates, or a domain security admin who needs to create and delete crypto keys.

16 concurrent connections

Multiple applications can establish sessions with a YubiHSM to perform cryptographic operations. Sessions can be automatically terminated after inactivity or be long-lived to improve performance by eliminating session creation time.

Network Shareable

To increase the flexibility of deployments, the YubiHSM 2 can be made available for use over the network by applications on other servers. This can be especially advantageous on a physical server that is hosting multiple virtual machines.

Remote Management

Unique “Nano” form factor, low-power usage

The Yubico “Nano” form factor allows the HSM to be inserted completely inside a USB-A port so it’s completely concealed – no external parts that protrude out of the server back or front chassis. It uses minimal power, max of 30mA, for cost-savings on your power budget.

M of N wrap key Backup and Restore

Backing up and deploying cryptographic keys on multiple HSMs is a critical component of an enterprise security architecture, but it’s a risk to allow a single individual to have that ability. The YubiHSM supports setting M of N rules on the wrap key used to export keys for backup or transport, so that multiple administrators are required to import and decrypt a key to make it usable on additional HSMs. For example in an enterprise, the Active Directory root CA private key might be key wrapped for 7 administrators (M=7) and at least 4 of them (N=4) are required to import and unwrap (decrypt) the key in the new HSM.

Interfaces via YubiHSM KSP, PKCS#11, and native libraries

Crypto enabled applications can leverage the YubiHSM via Yubico’s Key Storage Provider (KSP) for Microsoft’s CNG or industry-standard PKCS#11. Native libraries are also available on Windows, Linux and macOS to enable more direct interaction with the device’s capabilities.

Tamper evident Audit Logging

The YubiHSM internally stores a log of all management and crypto operation events that occur in the device and that log can be exported for monitoring and reporting. Each event (row) in the log is hash chained with the previous row and signed so that it’s possible to determine if any events are modified or deleted.

Direct USB SupportNew Feature: The YubiHSM 2 can talk directly to the USB layer without the need for an intermediate HTTP mechanism. This delivers an improved experience for the developers who are developing solutions for virtualized environments.

Key wrap

Random numbers

Attestation

Asymmetric key pairs generated on-device may be attested using a factory certified attestation key and certificate, or using your own key and certificate imported into the HSM

Performance

Performance varies depending on usage. The accompanying Software Development Kit includes performance tools that can be used for additional measurements. Example metrics from an otherwise unoccupied YubiHSM 2:

Safety and environmental compliance

Host interface

Using your YubiKey:
Go to yubico.com/setup for instructions on how to set up your Security Key with each service. Steps to enroll your Security Key NFC may differ from service to service. We have provided steps based on our own testing, and link to those services for full instructions. Attaches to home and car keychains. Manufactured in USA and Sweden with high security and quality.

More Yubikey security tokens:

What is yubikey macau?

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. Yubikey is a physical key to open your applications / access your online services. Using yubikey, you don’t need to use username/passwords to access all of your applications, dramatically reduces phishing attacks and risks from password theft.

How? buy one at https://atec-data.com yubikey Macau, then register the key at yubico.com, then login your application (Google mail, Microsoft account etc..) to register the key, those service providers will create a virtual lock for your key (private, public key encryption stuffs), then voilà! besides door to your house and treasure boxes, now you have a very secured key to all of your precious data vaults.